We’ve read the Russian report so you don’t have to

The long awaited report by a UK parliamentary committee into the extent Russian cyber tentacles have penetrated UK infrastructure, and whether they influenced some of the biggest decisions of a generation, was finally published. 

As is often the case, it raised more questions than answers. So, what is the threat from Russia and how does it impact senior cyber-security people running business in the UK?

But first: what did it actually say?

“Russia is a highly capable cyber actor with a proven capability to carry out operations which can deliver a range of impacts across any sector” – that’s the report’s headline observation.

It details how the GRU (Russian Security Services) have orchestrated numerous phishing attempts against Government departments, including against the Foreign and Commonwealth Office and the Defence Science and Technology Laboratory during the early stages of the investigation into the Salisbury attacks.

The document, published by the House of Commons Intelligence and Security Committee, also confirms the involvement of organised crime in official state activities, something that had been an open secret among many academics and law enforcement agencies specialising in this area.

“A quite considerable balance of intelligence now shows the links between serious and organised crime groups and Russian state activity.

“We’ve seen more evidence of serious and organised crime being connected at high levels of Russian state and Russian intelligence”, in what it described as a “symbiotic relationship”.

The report concludes that Russia’s cyber capability, when combined with its willingness to deploy it in a malicious capacity, is a “matter of grave concern”, and poses an immediate and urgent threat to our national security.

Interestingly, it argues the security threat posed appears “fundamentally nihilistic” the belief that – all knowledge and all life is meaningless.

For anyone without a philosophy degree, this essentially means there is no grand Russian plan to bring down the UK government, rather that through disinformation and misdirection they are content to muddy the waters, sowing seeds of disharmony rather than organising an outright mutiny. 

The Russian strategies

  • Use of state-owned traditional media
  • ‘Bots’ and ‘trolls’: open source studies have identified significant activity on social media
  • ‘Hack and leak’: the US has publicly avowed that Russia conducted ‘hack and leak’ operations in relation to its presidential election in 2016, and it has been widely alleged that Russia was responsible for a similar attack on the French presidential election in 2017
  • ‘Real life’ political interference: it has been widely reported that Kremlin-linked entities have made ‘soft loans’ to the (then) Front National in France, seemingly at least in part as a reward for the party having supported Russia’s annexation of Crimea and the GRU sponsored a failed coup in Montenegro in October 2016

Brexit play and miss

A key point from the report and one of the most astonishing given its impact on the country’s economic and social state, is the failure to investigate the extent of any Russia influence on the Brexit referendum, instead the report concluded “the impact of any such attempt would be difficult – if not impossible – to assess,” and so they didn’t try.

As always with reports that deal with sensitive capabilities, there is a delicate game of international poker being played, the UK government is fully aware that the Russian GRU will scrutinise whatever it publishes in this non-redacted version of the report – and as such specific security cleared individuals have seen a further classified annex.

If all information on the matter was placed in the public domain then this gives Russia the strategic advantage because they know everything that we know about them. Conversely, if too little is released it risks accusations of both ineptitude and opaqueness.

Controlling the loss of control

But, that no attempt to categorise Brexit interference was made hints at the acceptance of a loss of control within the cybersphere, a worrying trend given it is the source of so much of our information and one short of advising utmost caution when researching internet sources for corporate purposes, that there is very little that can be done to solve.

Also, that no IT or security professional SC Media UK contacted would comment on the vulnerability of UK infrastructure to Russian attack or the implications of Russian misinformation campaigns on the users trust of digital media, in itself reveals more than any quote.

There is a nation with the means and motive to spread disinformation and a proven track record in doing so, alongside an admission from the government it isn’t monitoring the extent of this manipulation,

From the perspective of a CISO, this is a challenge that is unlikely to disappear any time soon, and it demands extra vigilance and mitigation. 

The risk extends beyond government to business because all staff are prone to manipulation and exploitation. So education is essential: three things you advise: 1) explain to employees the risk on social media and on other platforms; 2) encourage all staff to corroborate information gleaned from social media through a separate source (pick up the phone if necessary!); 3) thoroughly check the background of any account you use for corroboration or information – giveaways are often number of followers and linguistic inconsistencies.